Posted by: David Harley | October 9, 2015

Sweeping out the App Store

While I’m not always Apple’s biggest fan, a story by Nick Farrell for TechEye – Apple finds more malware in its App store – strikes me as a little overstated: apps installing root certificates can clearly cause privacy problems, but writing off whatever apps are being looked at as malware by definition is a bit over the top, however irritating you may find Apple’s ‘more secure than thou’ mindset.

Other (calmer) commentary:

David Harley


Posted by: David Harley | October 8, 2015

Pop-ups and Support Scams

Today I added a link to the support scam resources page at AVIEN: this one is by me for ESET, on the way support scams are gradually moving away from simple-minded cold-calling to fake-AV-like pop-ups, intended to trick victims into making the initial telephone contact.

I figured it was also worth flagging here since the scams are aimed not only at Windows users but at users of OS X and iOS, Android, and even (rather ineptly) Linux. How many Linux users believe their system uses an NT Kernel or the Windows Firewall?

linux popup

(And no, Wine doesn’t have a bearing on this either: it implements the App Binary Interface in userspace, not in a kernel module.)

Here’s the direct link to the ESET article: Tech Support Scams: Top of the Pop-Ups, which has a few more screenshots, much more information, and some undiluted sarcasm. Sorry, support scammers just bring out the worst in me…

And for those who believe that nothing bad could ever happen to anyone who uses an Apple device, here are a few screenshots to show the sort of thing we’re seeing.

ios popup

iOS Pop-up: fake system crash

Crude, but could be ineffective. For comparison, is a typical Windows fake Blue Screen of Death (BSOD) screenshot.

bluescreen popup 2

Fake BSOD 

And here’s a Mac version.

mac scam

OS X fake system crash

Moving away from the fake system crash approach to scamming, here’s a pop-up that claims Safari has detected something malicious. I’ve seen these on OS X and iOS, but using other browsers and platforms too. And, of course they also masquerade as anti-virus alerts from the likes of McAfee, Symantic/Norton, even AVG and MSE.

safari popup

Fake Safari alert

And here’s an example of the sort of thing we’re seeing on Android, so that Chris DiBona won’t feel left out.

android popup

I guess, though, that given the recent fuss over XcodeGhost and YiSpector the number of people who believe in Apple’s immunity to malevolent software may have dropped slightly.

Hat tip to Steve Burn and Jerome Segura for their excellent work on support scam evolution.

David Harley

Posted by: David Harley | October 6, 2015

YiSpecter: Drop your iPhone, Mr Bond*


Claud Xiao responded to my (very mild) criticism in the original article below, making several points I think are well worth making.

In the past 5 years, there were over 10 malware, Adware or PoCs can affect non-jailbroken iOS devices. Except for some PoCs, all others were developed by public iOS APIs. Which means, what they can do (and what they did) are predictable in some ways and are managed by the system. For example, the famous FindAndCall collected contacts’ phone numbers and sent to its C2 server for further abusing; the recent scammer Oneclickfraud displayed a page asking your to purchase.

Compare with them, the primary difference in YiSpecter is that it abused private APIs to implement some unexpected functionalities. For example, it can hijack other apps launching to display ad. Actually, compare with this malware itself, I more care about how this technique can be and will be used by others in the future. According to some academia works (referred in the report), an app can do pretty much sensitive operations by this way, and App Store’s review on it is still not strict enough. Most people may thought malware, Adware or PUP can’t have really harm infected non-jb iOS. But since YiSpecter, rules changed. This is what exactly I mean on its “different”.

Thanks for your clarification, Claud!


Here’s more excellent analysis from  for Palo Alto, this time on the YiSpecter malware: YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs.

The title and the article are slightly misleading in that Xiao states that:

YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors.’

In fact, as Axelle Apvrille pointed out for Fortinet last year – in an article called iOS Malware Does Exist – malware that can affect non-jailbroken devices was already known. Still, those examples look fairly puny compared to the impact that YiSpecter has had.

Articles that also refer:


David Harley

Posted by: David Harley | October 3, 2015

Apple updates

iOS 9.0.2 addresses the infamous PIN bypass (which uses Siri).

The El Capitan upgrade, according to Shaun Nichols for The Register, fixes  101 CVE-listed security vulnerabilities. No, I haven’t counted them myself.

Safari 9 addresses 45 CVE-listed issues. I haven’t counted those, either.

David Harley

Posted by: David Harley | October 1, 2015

Evading Gatekeeper

John Leyden summarizes, for The Register, Patrick Wardle’s presentation at this week’s Virus Bulletin conference in Prague: his article is called How to evade Apple’s anti-malware Gatekeeper in OS X and really ruin a fanboy’s week. An article for Threatpost by Michael Mimoso  – Apple Gatekeeper Bypass Opens Door for Malicious Code – points out that Wardle:

…has shared his findings with Apple, which is reportedly working on a short-term mitigation until a full patch can be pushed out to users.

The problem is that Wardle’s bypass could require some re-architecting of the operating system to fully address the design weakness being exploited.

David Harley

Posted by: David Harley | September 24, 2015

XcodeGhost: Apple is optimistic

This, apparently, is the Apple view of the situation. Compared to the reports I’ve been seeing from the security industry, it appears to be orders of magnitude more optimistic about the number of apps affected and the impact on victims.

‘We have no information to suggest that the malware has been used to do anything malicious…’

It does point to advice to developers on verifying the version of Xcode they’re using.

David Harley

Posted by: David Harley | September 23, 2015

XcodeGhost – more spookiness

[Update: also some interesting commentary (as ever)  from Graham Cluley: XcodeGhost continues to haunt users of the iOS App Store]

From Palo Alto:

Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps

While John Leyden hypothesizes for The Register on why so many developers cut corners by using ‘dodgy code’:

 XcodeGhost attack tapped into dev distaste for Apple’s Gatekeeper – Slow, unwieldy downloads, $99 dev ID fee also contribute to App Store appocalypse

SANS NewsBites Vol. 17 Issue #74 includes some patchy commentary, but lots of links on this issue (among others). (NewsBites subscription signup here.)

David Harley

Posted by: David Harley | September 23, 2015

XcodeGhost-ly apps up to 4,000, says FireEye

It sounds as if even Qihoo360’s estimate of at least 350 apps compromised by XcodeGhost was quite conservative. FireEye claims to have identified more than 4,000 infected programs on the App Store.

In any case, it’s definitely time to check your recent apps and upgrade if necessary.

David Harley

Posted by: David Harley | September 22, 2015

Looking Out For XcodeGhost

While Apple has removed a number of compromised apps from the App Store, security company Lookout has compiled a list of apps known to be affected, plus others that it is actively investigating. iGadget users who acquire apps more frequently than I do might well find it worth to keep an eye on it.

Lookout makes a fair point about the limitations imposed on security apps by Apple’s security model for iOS, which not only rules out on-access scanning (an essential component of mainstream anti-malware on other platforms) but also makes passive scanning for the presence of malicious apps on the device harder. Lookout says:

Unfortunately due to limitations Apple has placed on apps on the iOS platform Lookout Mobile Security for consumers is not able to detect whether you have an infected app installed.

While Lookout remains available from the App Store, Apple effectively killed off development of at least one mainstream anti-malware product by removing it from the App Store some months ago, so that engine updates were no longer available. Intego indicated that theirs was not the only product affected, though offhand I can’t think of a mainstream product for iOS that was as close to a conventional (albeit only on-demand) scanner as Intego’s was. John Leyden commented for The Register at the time:

It seems Apple is acting in the belief that antivirus apps for iOS are either unnecessary or create the wrong impression. (You can read about the security in iOS here, as a PDF.)

Will Apple reconsider that belief (if Leyden is correct) in the light of the number of apps (at least 350, according to Qihoo360) and users (hundreds of millions, according to Palo Alto) affected? I suspect that it will take the company some time to get its head round the idea that there could ever be (jailbroken devices apart) unequivocally malicious programs lurking on an iGadget or in the App Store.

David Harley

Posted by: David Harley | September 21, 2015

XcodeGhost excitement

There has been lots of excitement over the iOS (and *according to Palo Alto, OS X) malware XcodeGhost. Or, to be precise, apps compromised by the counterfeit XcodeGhost object file. The Palo Alto article was unavailable for a while, but has lots of detail and has been updated as the story has developed. Qihoo360 claimed to have detected 344 compromised apps. Palo Alto asserts that this is the 6th instance of malware found on the App Store, citing LBTM, InstaStock, FindAndCall, Jekyll and FakeTor as earlier examples.

Other commentary:

David Harley

*”On Wednesday, Chinese iOS developers disclosed a new OS X and iOS malware on Sina Weibo.”

Older Posts »



Get every new post delivered to your Inbox.

Join 52 other followers